A study of IoT malware activities using association rule learning for darknet sensor data

Along with the proliferation of Internet of Things (IoT) devices, cyberattacks towards these devices are on the rise. In this paper, we present a study on applying Association Rule Learning to discover the regularities of these attacks from the big stream data collected on a large-scale darknet. By exploring the regularities in IoT-related indicators such as destination ports, type of service, and TCP window sizes, we succeeded in discovering the activities of attacking hosts associated with well-known classes of malware programs. As a case study, we report an interesting observation of the attack campaigns before and after the first source code release of the well-known IoT malware Mirai. The experiments show that the proposed scheme is effective and efficient in early detection and tracking of activities of new malware on the Internet and hence induces a promising approach to automate and accelerate the identification and mitigation of new cyber threats.